Attack Chain

1. Attacker creates a malicious model on the HuggingFace Hub. This model contains embedded Python code designed for malicious purposes.
2. Attacker social engineers a user to execute ilab train, ilab download, or ilab generate commands.
3. User executes the command, specifying the attacker’s malicious model from the HuggingFace Hub.
4. The linux_train.py script, due to the hardcoded trust_remote_code=True, downloads the malicious model.
5. The script loads the model, triggering the execution of the attacker’s embedded Python code.
6. The attacker’s code executes within the InstructLab process, allowing for arbitrary actions.
7. The attacker achieves persistence by modifying system files or creating new services.
8. The attacker gains full control of the compromised system, potentially exfiltrating data or causing further damage.

Impact

Successful exploitation of this vulnerability allows a remote attacker to execute arbitrary Python code on the target system. This can lead to complete system compromise, allowing the attacker to steal sensitive data, install malware, or disrupt operations. While the number of affected systems is currently unknown, any system running a vulnerable version of InstructLab and interacting with the HuggingFace Hub is at risk.

Recommendation

• Deploy the Sigma rules provided below to detect suspicious process creation events related to InstructLab executing code from temporary directories or with unusual network activity.
• Monitor process creation events for the execution of Python scripts with trust_remote_code=True within InstructLab’s processes using the provided Sigma rule.
• Implement strict controls and validation for models downloaded from HuggingFace, even if trust_remote_code=True is required.
• Apply any available patches or updates for InstructLab to address CVE-2026-6859 as provided by Red Hat.